An aggregate of all of GoVanguard’s InfoSec & Cybersecurity related Posts, News, Threats and Data Feeds.

The Amazon Photos app for Android insufficiently protected user access tokens, according to a blog post published on Wednesday. Theoretically, with exposed tokens, an attacker could’ve accessed users’ personal data from a number of different Amazon apps – not just Photos but also, for example, Amazon Drive. They also could have performed a ransomware attack, locking up or permanently deleting photos, documents and more. The findings were first reported to Amazon’s Vulnerability Research Program on November 7th of last year. On December 18th, Amazon announced that the issues had been fully resolved. To authenticate users across various apps within their ecosystem, like other software suite vendors, Amazon uses access tokens. It’s convenient for users, but also, potentially, for attackers. In their report, researchers from Checkmarx described how access tokens naturally leaked through an Amazon application programming interface (API) through “a misconfiguration of the com[.]amazon[.]gallery[.]thor[.]app[.]activity[.]ThorViewActivity component, which is implicitly exported in the app’s manifest file” – manifest files describe critical application information to the Android OS and Google Play store – “thus allowing external applications to access it. Whenever this activity is launched, it triggers an HTTP request that carries a header with the customer’s access token.” In a video explainer, they put it in simpler terms: “You can think of it as the password being sent to other…


Eighty-two percent of attacks on organizations in Q1 2022 were caused by the external exposure of a known vulnerabilities in the victim’s external-facing perimeter or attack surface. Those unpatched bugs overshadowed breach-related financial losses tied to human error, which accounted for 18 percent. The numbers come from Tetra Defense and its quarterly report that sheds light on a notable uptick in cyberattacks against United States organizations between January and March 2022. The report did not let employee security hygiene, or a lack thereof, off the hook. Tetra revealed that a lack of multi-factor authentication (MFA) mechanisms adopted by firms and compromised credential are still major factors in attacks against organizations. External Exposures: A Major Path of Compromise The study looks at the Root Point of Compromise (RPOC) in attacks. The RPOC is the initial entry point through which a threat actor infiltrates a victim organization and is categorized as the external exposure to a known vulnerability, or a malicious action performed by the user or a system misconfiguration. “Incidents caused by unpatched systems cost organizations 54 percent more than those caused by employee error,” according to the report. Researcher draw a line of distinction between “External Vulnerabilities” and “Risky External Exposures”. External Vulnerabilities, defined by Tetra Defense, refers incidents where an attacker leverages the publicly available exploit to attack the victim’s…


By Maurice Uenuma, Vice President, Enterprise Sales, Tripwire

There has been a lot of talk recently about cyber resilience. There is no doubt that the ability to bounce back from a security event is important, however, all of the resiliency banter seems to be happening at the peril of sound risk management processes. It is safe to say that the path to resilience is paved with risk management. Risk management can be a tricky endeavor. Too many security professionals have been ambushed in meetings with a risk manager who drifts into wild flights of fancy. These types of unbridled catastrophic imaginings miss the point of solid risk management. One way to reign in these “journeys of the unlikely” is with the use of a solid assurance framework. One of the most notable assurance frameworks for risk management is offered by HITRUST.

What is HITRUST?

Many people in the healthcare industry are familiar with HITRUST, but the approach is not specific, or limited to health care. In fact, it is industry agnostic. The different assurance approach offered is useful for all industries that need to address compliance and risk management. What makes it superior to the other available models? The answer lies in the way that it engages an organization’s risk profile.

Building upon the Capability Maturity Model (CMM), and NIST’s PRISMA, the HITRUST approach leverages best in class components for a comprehensive information risk management and compliance program that integrates and aligns the following:

  • HITRUST CSF – a robust privacy and security controls framework which harmonizes dozens of authoritative sources such as HIPAA, ISO 27001, and NIST 800-171.
  • HITRUST Assurance Program — a scalable and transparent means to provide reliable assurances to internal and external stakeholders.
  • HITRUST MyCSF — a HITRUST CSF compliance operations and audit management platform used by organizations adopting the HITRUST CSF, their external assessors, and HITRUST.
  • HITRUST Shared Responsibility Program — a means to automatically import prior HITRUST control assessment testing results and scoring that are available from providers of internal shared IT services and external cloud-hosted services, supported by a suite of matrices that clarify shared responsibilities.
  • HITRUST Assessment XChange — a third-party risk management solution.
  • HITRUST Third Party Assurance Program — a third-party risk management process.

Today, many compliance gap assessments (including HITRUST, ISO 27001, etc.) represent a “point-in-time” evaluation to determine whether a particular benchmark of control implementation and operation is achieved. The assessment activities are then reviewed and re-performed periodically (e.g., annually). Unfortunately, this method requires assessors and certification bodies to extrapolate across a future time period based on current-state assessment results.

HITRUST is working to incorporate concepts of Information Security Continuous Monitoring into their assurance program’s methodology and offerings. The end goal of HITRUST’s efforts is to change the “point-in-time” nature of traditional security assessments to one of an ongoing, prospective nature by providing assessed entities, HITRUST assessors, and HITRUST itself a view into the status of controls with a frequency sufficient to make ongoing, risk-based decisions. The end result is even greater rely-ability of HITRUST as well as the possibility of ongoing HITRUST certifications valid for much longer than today’s HITRUST certification offerings.

The only thing worse than discovering gaps in a security program is finding controls that have gone neglected to the point that an old gap is re-opened. An ISCM approach prevents this by creating less degradation over time than the traditional periodic review. Other tangible benefits include:

  • Longer periods between comprehensive control gap assessments.
  • Reduced time and effort needed to maintain certification.
  • Reduced lifecycle costs for maintaining certification.
  • Higher levels of assurance and trust with and amongst external stakeholders such as regulators, business partners, and customers.

Certification is important, as it offers objective verification that a security program is operating within the parameters of its intended design. This has implications beyond the comfort of a successful audit cycle. Through ISCM, the HITRUST Assurance Program will allow the findings in the HITRUST Assessment Report to be truly prospective.

Many security initiatives are viewed as “cost centers,” not adding value to an organization. From a monetary perspective, a HITRUST certification adds value by not only helping a company to meet cybersecurity insurability standards, but it can also lower those insurance premiums. This is because the HITRUST standard holds high confidence in the industry. This is also recognized by entities such as the US Government Accountability Office (GAO), which is tasked with saving taxpayer money.

HITRUST & Tripwire

Continuous monitoring is not an entirely new concept, however, the challenge of achieving it requires tools that can facilitate this ideal. The HITRUST ISCM methodology integrates perfectly with Tripwire to move an organization towards this state of constant compliance and security. Whether it is monitoring, or configuration management, these all add to a near real-time awareness of an organization’s risk profile.

With HITRUST ISCM, coupled with Tripwire, an organization can move away from the annual “heavy assessment”, to a baseline of understanding and continual compliance throughout the period of time to understand if a control stops functioning. Tripwire can help an organization change the way assurance is obtained, maintained, and communicated.

Security assurance and compliance can be achieved and maintained with the HITRUST ISCM approach, coupled with Tripwire. This also transforms security into a measurable, metric-based discipline, which is a vital stepping-stone towards security resiliency.

About Tripwire

For more than 20 years, Tripwire has protected the world’s leading organizations against the most damaging cyberattacks, keeping pace with rapidly changing tech complexities to defend against ever-evolving threats. We’re here to help organizations build strong foundations for security, compliance, and operational excellence.

Download the HITRUST CSF

The HITRUST Approach is built upon the comprehensive and scalable HITRUST CSF framework, which helps organizations of all sizes implement and enhance information risk management and compliance programs. For eligible organizations, the HITRUST CSF is available to download free of charge.


The post HITRUST: The Path to Cyber Resilience appeared first on HITRUST Alliance.


On December 7, 2021, Google announced it was suing two Russian men allegedly responsible for operating the Glupteba botnet, a global malware menace that has infected millions of computers over the past decade. That same day, AWM Proxy — a 14-year-old anonymity service that rents hacked PCs to cybercriminals — suddenly went offline. Security experts had long seen a link between Glupteba and AWM Proxy, but new research shows AWM Proxy's founder is one of the men being sued by Google. AWMproxy, the storefront for renting access to infected PCs, circa 2011. Launched in March 2008, AWM Proxy quickly became the largest service for crooks seeking to route their malicious Web traffic through compromised devices. In 2011, researchers at Kaspersky Lab showed that virtually all of the hacked systems for rent at AWM Proxy had been compromised by TDSS (a.k.a TDL-4 and Alureon), a stealthy "rootkit" that installs deep within infected PCs and loads even before the underlying Windows operating system boots up. In March 2011, security researchers at ESET found TDSS was being used to deploy Glupteba, another rootkit that steals passwords and other access credentials, disables security software, and tries to compromise other devices on the victim's network — such as Internet routers and media storage servers — for use in relaying spam or other malicious traffic. A report from the Polish computer emergency response team (CERT Orange Polksa) found Glupteba was by far the biggest malware…


Baker McKenzie’s Sanctions Blog published the alert titled OFAC Issues New FAQs on Export Ban on Certain Services on 14 June 2022. Read the article via the link here. Please also visit our Sanctions Blog for the most recent updates.

The post United States: OFAC Issues New FAQs on Export Ban on Certain Services appeared first on Global Compliance News.


Cybercrime is on the rise, and attacks are getting faster, more nuanced and increasingly sophisticated. The number of cyberattack-related data breaches rose 27 percent in 2021 — an upward trend that shows no signs of slowing down. Bad security habits, such as using the same password more than once may seem innocuous, but unchecked bad behavior or security habits can leave your organization open to a devastating breach. Bad security habits cost businesses millions of dollars. Consider this, the average cost of a data breach reached $4.24 million per incident in 2021, the highest in 17 years. If a hacker compromises your servers and steals confidential data, it could spell the end of your company. This list covers 6 of the most common bad security habits and how to fix them so you can protect your data and prevent malicious attacks. 1. Poor Password Hygiene More than 60 percent of all data breaches involve stolen or weak credentials. Using the same password, sharing passwords, writing passwords down on sticky notes — as security leaders, we’ve seen the same terrible password practices for years. Don’t make attackers’ jobs easier! Break the habit: Establish a company-wide password policy, use a password manager, and enable multi-factor authentication to reduce the risk of unauthorized account access. Your password policy should include guidelines on creating strong passwords, how often passwords should be updated, and instructions on how to securely share passwords between…


On May 16, 2022, the Biden administration announced the relaxing of certain limited Cuban sanctions and other regulatory changes to expand communication, travel, and commerce between the United States and Cuba. The related fact sheet can be found here.

The US State Department outlined four changes to Cuba policy in the announcement:

  • Facilitate family reunification: The Cuban Family Reunification Parole Program will be reinstated and capacity for consular services and visa processing will continue to increase, making it possible for more Cubans to join their families in the United States via regular migration channels.
  • Expand authorized travel: Scheduled and charter flights to locations beyond Havana will again be authorized following restrictions implemented in 2019 and 2020. The Biden administration will also implement regulatory changes to reinstate group people-to-people and other categories of group educational travel, as well as certain travel related to professional meetings and professional research. Our most recent blog post about travel restrictions against Cuba is here. On June 1, 2022, the US Department of Transportation issued a corresponding Order revoking previous actions restricting certain air services between the US and Cuba, which we previously blogged about herehere, and here.
  • Support greater access to US Internet services, applications, and e-commerce platforms: There will now be support for greater access to expanded cloud technology, application programming interfaces, and e-commerce platforms. Additionally, the United States will explore new options for Internet-based activities, electronic payments, and business with independent Cuban entrepreneurs, providing entrepreneurs’ access to microfinance and training.
  • Enable increased remittance flows to the Cuban people: Remittances will flow more freely to the Cuban people as a general matter. Specifically, the current limit on family remittances of $1,000 per quarter per sender-receiver pair will be removed and donative remittances, which will support independent Cuban entrepreneurs, will be authorized. We blogged about US restrictions on remittances to Cuba here.

These changes neither modify the US embargo of Cuba, Cuba’s designation as a state sponsor of terrorism, nor the majority of the restrictions on Cuba implemented by the Trump administration, which we previously blogged about here, here, here, and here.

Pursuant to the above policy changes, on June 9, the Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) amended the Cuban Assets Control Regulations to implement some of the elements of the President’s foreign policy to increase support for the Cuban people. The rule authorizes group people-to-people educational travel to Cuba and removes certain restrictions on authorized academic educational activities, authorizes travel to attend or organize professional meetings or conferences in Cuba, removes the $1,000 quarterly limit on family remittances, and authorizes donative remittances to Cuba.

The post United States: Biden Administration relaxes certain limited Cuban sanctions appeared first on Global Compliance News.


Ransomware groups are abusing unpatched versions of a Linux-based Mitel VoIP (Voice over Internet Protocol) application and using it as a springboard plant malware on targeted systems. The critical remote code execution (RCE) flaw, tracked as CVE-2022-29499, was first report by Crowdstrike in April as a zero-day vulnerability and is now patched. Mitel is popularly known for providing business phone systems and unified communication as a service (UCaaS) to all forms of organizations. The Mitel focuses on VoIP technology allowing users to make phone calls using an internet connection instead of regular telephone lines. According to Crowdstrike, the vulnerability affects the Mitel MiVoice appliances SA 100, SA 400 and Virtual SA. The MiVoice provides a simple interface to bring all communications and tools together. Bug Exploited to Plant Ransomware Researcher at Crowdstrike recently investigated a suspected ransomware attack. The team of researchers handled the intrusion quickly, but believe the involvement of the vulnerability (CVE-2022-29499) in the ransomware strike. The Crowdstrike identifies the origin of malicious activity linked to an IP address associated with a Linux-based Mitel VoIP appliance. Further analysis led to the discovery of a novel remote code exploit. “The device was taken offline and imaged for further analysis, leading to the discovery of a novel remote code execution exploit used by the threat actor to gain initial access to the environment,” Patrick…


Russia-linked cyber collective Killnet has claimed responsibility for DDoS attacks Monday on the Lithuanian government and other entities in the Baltic country over closure of transit routes within the Russian exclave of Kaliningrad, according to researchers. The threat group warns that it will keep up attacks until the issue is resolved. On Monday, Lithuania’s National Cyber Security Center (NKSC) under the Ministry of National Defense warned of intense and ongoing DDoS attacks against Lithuania’s Secure National Data Transfer Network as well as other governmental institutions and private companies in the country. The attacks—which the government expects to be ongoing as well as target other critical infrastructure in Lithuania–disrupted access to services of users of the secure data network, the NKSC said in a public statement. “It is highly probable that such or even more intense attacks will continue into the coming days, especially against the communications, energy and financial sectors,” Jonas Skardinskas, acting NKSC director and head of cyber security management department, said in a statement. Motivation for Attacks Russia-based Killnet apparently launched the attacks in response to the Lithuanian government’s announcement on June 18 that it would close routes between the Baltic country and the Russian exclave of Kaliningrad for transport of steel and other metals, according to Flashpoint, which published a blog post by the Flashpoint team on the attacks Monday….


The Cybersecurity and Infrastructure Security Agency (CISA) and Coast Guard Cyber Command (CGCYBER) released a joint advisory warning the Log4Shell flaw is being abused by threat actors that are compromising public-facing VMware Horizon and Unified Access Gateway (UAG) servers. The VMware Horizon is a platform used by administrators to run and deliver virtual desktops and apps in the hybrid cloud, while UAG provides secure access to the resources residing inside a network. According to the CISA, in one instance the advance persistent threat (APT) actor compromises the victim’s internal network, procures a disaster recovery network, and extracts sensitive information. “As part of this exploitation, suspected APT actors implanted loader malware on compromised systems with embedded executables enabling remote command and control (C2),” CISA added. Attack Analysis The CGCYBER conducts a proactive threat hunting engagement at an organization that was compromised by the threat actors who exploited Log4Shell in VMware Horizon. This revealed that after gaining initial access to the victim system, the adversary uploaded a malware identified as “hmsvc.exe”. The researchers analyzed the sample of the hmsvc.exe malware and confirmed that the process masquerading as a legitimate Windows service and an altered version of SysInternals LogonSessions software. According to the researcher sample of hmsvc.exe malware was running with the highest privilege level on a Windows system and…